A security bug affecting OpenSSL was announced this week (07-Apr-2014). OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable.
Symantec Data Center Security Server Advanced 6.0 -(formerly the SCSP product) utilizes OpenSSL. CSP is not directly vulnerable however the agent is impacted but requires chaining of vulnerabilities. The agent will only communicate with its management servers so in order for someone to exploit the OpenSSL vulnerability, they must cause the agent to connect to a malicious server.
Which versions are impacted?
- SDCS: SA and CSP Server and Console are not impacted.
- SCSP 5.2.9 MP2 and older are not impacted.
- No version of Linux Agents are impacted (Symantec does not distribute OpenSSL for these agents. The product uses the OpenSSL provided by the operating system. Customers should examine their systems, determine if they have a vulnerable version of OpenSSL, and update it if necessary.)
- SCSP 5.2.9 MP3 to SCSP MP5 Agents are impacted.
- SDCS:SA 6.0 Agents are impacted.
Will Symantec be releasing an update to address this?
Yes. Symantec engineering is currently working on an agent hotfix to address this issue. This article will be updated when the new version is available. Subscribe to this article to be notified of any changes to this article.
What is the Risk Severity Rating?
Because exploitation requires chaining a series of vulnerabilities, Symantec has given this issue a low severity rating.
What Data could be exposed?
The CERT description (http://www.kb.cert.org/vuls/id/720951) identities 4 categories of sensitive information that could be leaked. Using these categories, the data that might be leaked from a SCSP agent if someone were to exploit the vulnerability are as follows.
- Primary key material (secret keys) The agent does not handle primary key material.
- Secondary key material (user names and passwords used by vulnerable services) The agent does not handle secondary key material.
- Protected content (sensitive data used by vulnerable services). The content that might be leaked from the agent is the data that is transmitted between the agent and the management server over the OpenSSL encrypted connection. This includes SCSP event data, SCSP policy content, SCSP discovered application data, and other product content and configuration settings.
- Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations) The memory addresses and content of the agent service communicating over the network might be leaked.
The Heartbleed fix for Windows agents is now available on File Connect.